Confidentiality & Privacy

Question 1

What kind of party losses are compensatory damages?

Answer 1

3rd party losses because they provide restitution for the harm caused to consumers.

Question 2

What is symmetric key encryption?

Answer 2

• It is a type of encryption that uses the same private key for encryption and decryption.
• This encryption type is good for protecting data at rest in a database.
• It uses Advanced Encryption Standard (AES) to generate keys of 128, 192, or 256 bits.

Question 3

What is asymmetric encryption?

Answer 3

• It is encryption in which a public key is used for encryption and private key is used for decryption.
• Asymmetric encryption uses the RSA algorithm to generate keys.
  This encryption uses key length of 2048, 3072, or 4096 bits.

Question 4

What is the RSA algorithm?

Answer 4

• It is an algorithm in which RSA is used in blockchain technology, for digital signatures, and situations where identification is necessary.
• RSA requires much larger keys than AES, usually 2048, 3072, or 4096 bits.

Question 5

What does symmetric encryption secure?

Answer 5

It secures the actual data being transmitted.

Question 6

What does asymmetric encryption do?

Answer 6

It it used to establish a secure communication channel

Question 7

What is a suitable choice for securing email communication or messaging applications?

Answer 7

Asymmetric encryption because there are separate public and private keys

Question 8

Merchants that process credit cards must comply with what?

Answer 8

Payment Card Industry Data Security Standard (PCI DSS)

Question 9

What is tokenization?

Answer 9

• It is a data obfuscation (process of concealing information) technique where it substitutes a customer’s credit card number with a random alphanumeric string (the token).
• The merchant transfers the token to the payment processor who then tokenizes (a process of HIDING your customer’s card information with a randomly generated series of letters and numbers or an alphanumeric string of characters called a “token” that can only be decrypted by the bank when processing a transaction) the token to confirm payment.

Question 10

What does encryption use that tokenization doesn’t use?

Answer 10

Keys

Question 11

What is data masking?

Answer 11

• AKA DATA REPLACEMENT
• It is a technique in which the masking PERMANENTLY substitutes data with fake data that appears equivalent to the original.
• Ex: Denny Miyasato becomes Joel Kasten
  When you hear MASK, think of Halloween masks.

Question 12

What is data replacement?

Answer 12

AKA HASHING
It involves replacing real data with meaningless symbols

Question 13

What are the 4 phases of the data life cycle?

Answer 13

• Creation/collection
• Use
• Storage
• Disposal

Question 14

Management should design and implement controls that ensure that data collection forms ask for what?

Answer 14

The MINIMUM INFORMATION NECESSARY for legitimate and lawful purposes

Question 15

What are examples of risk assessment procedures?

Answer 15

• Re-performance (walkthrough)
• Inquiry
• Inspection
• Observation

Question 16

What is a walkthrough?

Answer 16

• It is a risk assessment procedure where a combination of risk assessment controls (inquiry, inspection, observation) are used to compare a process to the documented policy

Question 17

To provide the same level of assurance as an inked signature in a paper transaction, what would a digitally signed transaction use?

Answer 17

Hashing and asymmetric encryption for authentication

Question 18

What is hashing?

Answer 18

• AKA Data Replacement.
• Hashing uses an algorithm to change data into a fixed string (ex: ###).
• After hashing the signature, the signer encrypts it using a private key.
• The receiver is given a public key to decrypt the hashed signature.

Question 19

Privacy regulations (HIPAA) require the data subject’s _____ before the data holder can disclose information.

Answer 19

INFORMED CONSENT

Question 20

What is change management?

Answer 20

• It is an IT practice designed to minimize disruptions to IT services while making changes to critical systems and services.
• A change is adding, modifying, or removing anything that could have a direct/indirect effect on services.

Question 21

How should proprietary information be classified?

Answer 21

Confidential

Question 22

What is a digital signature?

Answer 22

• It is a cryptographic technique used to verify the authenticity and integrity of digital messages, etc.
• Digital signatures are encrypted, geolocated, and time stamped to authenticate signer’s identity.

Question 23

What kind of encryption does digital signatures rely on?

Answer 23

• Asymmetric encryption.
• If a sender signs a message, they use their private key to create a unique digital signature.
• Sender then transmits both original message and digital signature to the recipient.
• The recipient employs the sender’s public keys to verify the authenticity of the signature.

Question 24

What is privacy?

Answer 24

In the context of the Trust Services Criteria, PRIVACY deals only with handling PERSONAL DATA (how it’s collected, used, retained, disclosed, disposed of)

Question 25

What is confidentiality?

Answer 25

It deals with a broad range of sensitive info, such as proprietary, strategic, financial, and personal data.

Question 26

What is the purpose of data security controls?

Answer 26

It is to ensure that storage media are subject to authorization prior to access, change, or destruction.

Examples of data security controls:
- Access control lists
- Firewalls
- Intrusion detection systems
- Intrusion prevention systems
- Data encryption

Question 27

What is public key encryption?

Answer 27

• AKA Asymmetric key encryption.
• It uses a pair of keys, a public key and a private key, to encrypt and decrypt data, respectively.
• Public key is available to anyone who wants to send an encrypted message to the owner of the private key.
• The public key is used to encrypt the data and can be shared freely.

Question 28

What is private key encryption?

Answer 28

• AKA Symmetric key encryption.
• The same key is used to both encrypt and decrypt the message.
• The sender and recipient must have the same encryption key in order to communicate securely.

Question 29

Data Loss Prevention solutions are designed to do what?

Answer 29

To protect data based on the data’s state (at rest, in transit, in use)

Question 30

What is Acceptable Use Policy?

Answer 30

They are policies that establish guidelines for the use of an organization’s assets (hardware, software)